Share 
## https://sploitus.com/exploit?id=805FCFAF-D9DD-5870-AE2C-44FA673CCB8B
# vuln-scanner-agent

A multi-agent vulnerability scanner for GitHub repositories, Docker images, and web applications. Combines CVE detection, static analysis, LLM-powered code review, and exploitability assessment in a single CLI.

## Features

- **Dependency CVEs** โ€” scans lock files against OSV.dev (npm, pip, Ruby, Go, Rust, Java, PHP)
- **SAST** โ€” 55 custom Semgrep rules across 7 languages (Python, JS, Java, PHP, Go, Ruby, C#)
- **Docker image scanning** โ€” Trivy-backed layer analysis
- **LLM code review** โ€” 3-pass analysis (app understanding โ†’ file-by-file โ†’ cross-file synthesis). Finds IDOR, auth bypass, mass assignment, hardcoded secrets, business logic flaws
- **CVE gap analysis** โ€” LLM-discovered CVEs validated against OSV API before inclusion
- **Exploitability assessment** โ€” for each HIGH/CRITICAL CVE, checks whether the vulnerable code path is reachable with user input
- **Git history scan** โ€” detects secrets committed and later deleted (AWS keys, OpenAI, GitHub tokens, Stripe, DB URLs)
- **Web scanning** โ€” HTTP headers, SSL/TLS, nuclei integration
- **Autonomous pentest** โ€” DeepSeek R1 ReAct loop with web_request/run_command/execute_python tools
- **GitHub issue creation** โ€” post findings directly to your repo

## Architecture

```
scan.py
โ””โ”€โ”€ Orchestrator
    โ”œโ”€โ”€ Phase 1 (parallel)
    โ”‚   โ”œโ”€โ”€ DepAgent         โ†’ OSV.dev batch API
    โ”‚   โ”œโ”€โ”€ SASTAgent        โ†’ Semgrep CLI (rules/)
    โ”‚   โ””โ”€โ”€ GitHistoryAgent  โ†’ git log -p (200 commits)
    โ”œโ”€โ”€ Phase 2 โ€” LLM (parallel, skipped with --no-llm)
    โ”‚   โ”œโ”€โ”€ LLMScanAgent     โ†’ DeepSeek V3, 3-pass file analysis
    โ”‚   โ”œโ”€โ”€ CVEGapAgent      โ†’ LLM + OSV cross-validation
    โ”‚   โ””โ”€โ”€ ExploitabilityAgent โ†’ per-package reachability analysis
    โ”œโ”€โ”€ DockerAgent          โ†’ Trivy (if --image)
    โ”œโ”€โ”€ WebAgent             โ†’ headers + SSL + nuclei (if --url)
    โ”œโ”€โ”€ TriageAgent          โ†’ dedup + sort + LLM enrich (CRITICAL/HIGH)
    โ””โ”€โ”€ ReportAgent          โ†’ markdown report
```

## Agents

| Agent | Role | Tool |
|-------|------|------|
| `DepAgent` | Scans lock files for known CVEs | OSV.dev API |
| `SASTAgent` | Static analysis (55 rules, 7 languages) | Semgrep |
| `GitHistoryAgent` | Finds secrets deleted from git history | git |
| `LLMScanAgent` | Deep code review (IDOR, auth bypass, logic flaws) | DeepSeek V3 |
| `CVEGapAgent` | Discovers CVEs beyond OSV, validates each one | DeepSeek V3 + OSV |
| `ExploitabilityAgent` | Checks if vulnerable code paths are reachable | DeepSeek V3 |
| `DockerAgent` | Scans Docker image layers | Trivy |
| `WebAgent` | HTTP headers, SSL, nuclei | nuclei |
| `LLMWebAgent` | BFS crawl + LLM analysis per page | DeepSeek V3 |
| `TriageAgent` | Dedup, sort, LLM enrichment of CRITICAL/HIGH | DeepSeek V3 |
| `ReportAgent` | Generates structured markdown report | โ€” |
| `PentestAgent` | Autonomous ReAct pentest loop | DeepSeek R1 |

## Benchmark

Tested against 8 tools on 4 intentionally vulnerable apps (no LLM, for fairness):

| Tool | pygoat (pip) | juice-shop (npm) | dvna (npm) | railsgoat (ruby) |
|------|:---:|:---:|:---:|:---:|
| **vuln-scanner-agent** | **192** | 54 | 41 | 54 |
| osv-scanner | 167 | 65 | 52 | 142 |
| grype | 135 | 62 | 52 | 142 |
| trivy fs | 135 | 67 | 53 | 55 |
| npm audit | โ€” | 45 | 24 | โ€” |
| bandit (SAST) | 65 | โ€” | โ€” | โ€” |

With LLM enabled on pygoat: **264 findings** (+72 vs no-LLM), including 64 findings in custom code (IDOR, auth bypass, hardcoded secrets) that no other tool detects.

## Installation

```bash
pip install -r requirements.txt
```

External tools (optional, extend coverage):
- [Semgrep](https://semgrep.dev/docs/getting-started/) โ€” required for SAST
- [Trivy](https://aquasecurity.github.io/trivy/latest/getting-started/installation/) โ€” required for `--image`
- [nuclei](https://nuclei.projectdiscovery.io/nuclei/get-started/) โ€” optional, enhances `--url`

## Configuration

```bash
cp .env.example .env
# Edit .env and add your OPENROUTER_API_KEY
```

| Variable | Required | Description |
|----------|:--------:|-------------|
| `OPENROUTER_API_KEY` | For LLM features | DeepSeek V3/R1 via OpenRouter |
| `OPENAI_API_KEY` | Alternative | OpenAI instead of OpenRouter |
| `GITHUB_TOKEN` | For `--issue` | Creates GitHub issue with findings |

## Usage

```bash
# Scan a GitHub repo (with full LLM analysis)
python scan.py --repo https://github.com/user/repo

# Scan a Docker image
python scan.py --image nginx:1.14.0

# Scan a web app
python scan.py --url https://example.com

# Combine targets
python scan.py --repo https://github.com/user/repo --image myapp:latest --url https://myapp.com

# Skip LLM (faster, no API key needed)
python scan.py --repo https://github.com/user/repo --no-llm

# Create a GitHub issue with findings
python scan.py --repo https://github.com/user/repo --issue

# Autonomous pentest mode (DeepSeek R1 ReAct loop)
python scan.py --url https://target.com --pentest

# Custom output path
python scan.py --repo https://github.com/user/repo --output my-report.md
```

## Output

Generates a `report.md` with:
- Dependency CVEs table with severity, CVSS vector, and **Exploitable?** column
- SAST findings with file/line references
- LLM findings with attack scenario descriptions
- Docker CVE breakdown by layer
- Web findings (headers, SSL, nuclei)
- Git history secrets (with commit hash)
- Cost summary (tokens used + USD cost per LLM call)

## Scan results (examples)

| Target | Findings | CRITICAL | HIGH | Time | LLM cost |
|--------|:--------:|:--------:|:----:|-----:|:--------:|
| `nginx:1.14.0` | 280 | 39 | 107 | 106s | โ€” |
| `juice-shop` (repo) | 71 | 0 | 12 | 13s | โ€” |
| `pygoat` (repo, LLM) | 264 | 26 | 74 | ~60s | $0.02 |
| `demo.testfire.net` (web) | 37 | 0 | 9 | 75s | $0.001 |

## Lock file support

| Ecosystem | Lock files detected |
|-----------|-------------------|
| npm | `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` |
| pip | `Pipfile.lock`, `poetry.lock`, `requirements.txt` |
| Ruby | `Gemfile.lock` |
| Go | `go.sum` |
| Rust | `Cargo.lock` |
| Java | `pom.xml` |
| PHP | `composer.lock` |

## Cost

LLM calls use DeepSeek V3 (analysis) and DeepSeek R1 (reasoning) via OpenRouter. Typical costs:
- Repo scan with LLM: **$0.01โ€“$0.05** depending on codebase size
- Web scan with LLM: **< $0.01**
- `--no-llm`: **$0.00**

## Roadmap

- [ ] Nightly cron on own GitHub repos + webhook on push/PR
- [ ] Datadog APM integration (ddtrace + custom metrics)
- [ ] Telegram alerts on CRITICAL findings
- [ ] CVSS numeric score calculation from OSV vectors
- [ ] Semgrep rules for Kotlin, Swift, Rust